By Roger Bambino for Tech JaJa
Dr. Bright Gameli Mawudor heads the Cyber Security Service Team at Internet Solutions. He recently bumped into some MultiChoice credentials on the open Internet as he was giving a live demo at a conference.
Dr Gameli is also the co-founder of AfricaHackOn and was giving a speech at a recent MyBroadband CyberSec Conference, where he revealed that the DStv hack was more less accidental and uncovered a text file full of MultiChoice credentials on a misconfigured web server in the middle of a live demo.
He told MyBroadband that he was demonstrating a technique known as Google Dorking. This involves using Google’s highly technical search operators to find information people didn’t imagine would be found on the open Internet. To put this in context, many people put a lot of information on the internet including ripped media series for download on Internet-connected servers, which Google eventually crawls and indexes.
As he was trying to demonstrate how easy it was to find credentials for streaming services like Netflix and Hulu with a Google search, Mawudor thought he could do the same for DStv.
“Nobody knew what happened, I took it off quickly. I didn’t want anybody to see. Later I went to analyse the details,” Mawudor said.
Being an ethical hacker, Mawudor chose not to misuse the information he found as it would have done tremendous amount of damage to DStv’s business.
“I would have been able to use those credentials to log into the monitoring of live [sports] matches that were going on, [or] into the VPN and into the internal network,” he said.
He would have used this data to shut down systems, or changed live broadcasts if he so wished. While advising companies in regards to security Mawudor said:
“Organisations need to go beyond occasional penetration testing and do vulnerability management — frequently doing an assessment of all your systems, networks, and appliances to make sure they always screened for the latest vulnerabilities.”